GDPR Regulation is an international Data Privacy law that upholds the rights of citizens of the EU. It gives citizens more control over how their data is used in the organization. If your company handles the personal information of people in the EU, then they are expected to comply with GDPR. Like any other regulation, GDPR too requires an organization to abide by the rules and requirements outlined in the law.
The organization is expected to not just implement measures outlined in the law, but also have in place certain legal documents and statements that are an essential part of the regulatory requirement. One such document is the GDPR Privacy Notice. This is an important document that is expected to be published by the organization on its website or provided to individuals whose data is processed by the organization.
Explaining the importance and relevance of this document, we have in the article covered details that you as an organization need to know on GDPR Privacy Notice and its requirement under the regulation
What is a Privacy Notice?
Privacy Notice is an essential document that is required under GDPR Compliance requirements. It is basically a document that explains how the organization processes personal data. The document ensures transparency in data processing and also helps individuals assert more control over the data that is used by the organization.
GDPR requires an organization to provide such documents detailing the purpose of collecting data, and the way the data will be stored, used, and processed by the organization. That said, it is also important to note and understand that GDPR Privacy Notice is very different from a Privacy Policy. People often get confused between the two documents and consider them to be the same at times.
Let us understand the difference between the two documents before we proceed any further on understanding the regulatory requirement of the GDPR Privacy Notice.
How is a Privacy Notice Different from a Privacy Policy?
Privacy Policy and Privacy Notice are terms used not just in the GDPR Regulation but also in other data security and privacy laws. Although they may sound quite similar and also often used interchangeably, but they are actually different and are used for different purposes. So, let us understand how the two documents are different and for what purpose each of these documents is required.
[table id=23 /]
When Should You Provide GDPR Privacy Notice?
GDPR requires organizations processing personal data to provide or publish an explicit privacy notice to meet the lawful processing requirement of personal data under the GDPR. Here the lawful basis of processing data is not just about gaining consent from the individual but also keeping them informed about the way the data will be stored, used, and measures taken to protect the confidentiality and integrity of the data. GDPR Articles 12, 13 & 14 sets out clear guidance and instruction on how to provide information and communicate to individuals about the personal data collected and used.
The Privacy notice must be provided when personal data is collected from citizens of the EU, or when they are initially contacted with regards to the collection of their personal data. This should be at the time when the data is obtained indirectly, or within one month of obtaining the data, whichever comes first. It is also important to provide the Privacy Notice prior to using the data for purposes other than the one originally stated when that data was collected.
What all information is included in a Privacy Notice?
The Privacy Notice must contain the following information when published or provided to individuals –
When the personal data is collected directly from individuals–
- Contact details of the organization, and Data Protection Officer of the organization.
- Purpose of collecting and processing personal data. This should also include the legal basis for doing so.
- Details such as the legitimate interests of the organization
- Information relating to whether the personal data will be transferred to another country and security measures implemented for protecting the privacy of the data.
- Details regarding the type of personal data collected and processed.
- The retention period of using and/or processing personal data
- Details regarding the data subject’s rights and ways of exercising the rights
- Details on whether the provision of personal data is part of a statutory or contractual requirement or obligation and the consequences of failing to provide the personal data.
- Inform about the automated decision-making system, including profiling, and details about the system, how it works, its impact, and the consequences.
When personal data is collected from a third-party-
If an organization gets the personal data indirectly from a third party then the privacy notice must include all the information, as mentioned above, and also-
- The categories of personal data collected.
- Information on the source and whether the source of data is publicly accessible.
It is important to note that the information collected should be shared with the individual no later than one month after the data was obtained, or at the time when the data subject was first communicated, or before sharing the data with another organization.
What is the GDPR Privacy Notice Best Practice?
GDPR requires organizations to provide people with a Privacy Notice that is-
- Clear, concise, transparent, and in an easily accessible form
- Written in plain and clear language, especially when it includes information specific to the child.
- The Privacy Notice should be provided free of charge.
- The Privacy notices should have qualifiers like “may,” “might,” “some,” and “often,” they may seem misleading or vague purposefully.
- The writing should be in active tense and sentences and paragraphs should be well structured, with bullet points to highlight specific points of note.
The European Commission has provided GDPR guidelines outlining phrases that should be avoided since they are not sufficiently clear as to the purposes of the processing.
Final Thought
Data protection is not just the responsibility of Data Controllers but also Data Processors and all those involved in handling personal data. They also have the responsibility of keeping individuals informed about the use of their data. Since individuals have the right to know how their information is used, a Privacy Notice is a very crucial document. Since this document lets them know how their personal data will be used, it will reassure them that the organization is taking measures to ensure the privacy of their data and that it is not miss used in any way. This also helps build a sense of trust among customers and reflects the efforts taken by the organization for data protection.
Also Read:
